Skip to content
Permalink
Browse files Browse the repository at this point in the history
patch unauthenticated users being able to read sensitive config field…
…s by viewing them individually instead of listing them (#37)
  • Loading branch information
David Cooke committed Oct 3, 2020
1 parent 41edf92 commit f3dc89b
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
4 changes: 4 additions & 0 deletions src/config/config.py
Expand Up @@ -64,6 +64,10 @@ def get_all_non_sensitive():
return config


def is_sensitive(key):
return key in backend.get('sensitive_fields')


def set_bulk(values: dict):
for key, value in values.items():
set(key, value)
Expand Down
8 changes: 5 additions & 3 deletions src/config/views.py
@@ -1,4 +1,4 @@
from rest_framework.status import HTTP_400_BAD_REQUEST
from rest_framework.status import HTTP_400_BAD_REQUEST, HTTP_403_FORBIDDEN
from rest_framework.views import APIView

from backend.response import FormattedResponse
Expand All @@ -12,10 +12,12 @@ class ConfigView(APIView):

def get(self, request, name=None):
if name is None:
if request.user.is_staff:
if request.user.is_superuser:
return FormattedResponse(config.get_all())
return FormattedResponse(config.get_all_non_sensitive())
return FormattedResponse(config.get(name))
if not config.is_sensitive(name) or request.is_superuser:
return FormattedResponse(config.get(name))
return FormattedResponse(status=HTTP_403_FORBIDDEN)

def post(self, request, name):
if "value" not in request.data:
Expand Down

0 comments on commit f3dc89b

Please sign in to comment.